Ransomware attacks increased 51% in 2023. A big factor was RaaS (Ransomware as a Service). It’s become so easy to mount an attack that you can download everything you need to attack a competitor or someone with which you simply don’t agree with just a single click.
It’s the big breaches that make the news, with millions of customers affected and millions spent on recovery, remediation, or ransom. The really important news is if your small business is targeted, it may not be around to celebrate another year.
Over a decade ago, one of my clients was attacked. It became a CEE (Company Extinction Event). It was an inside job by a team of criminals. Their first act was to get hired to get in place to execute the crime. After the breach was discovered, our learning curve climbed straight up. I’ll never forget the client’s lament, “But I changed the locks on the doors when I fired them.
That was the first, and the last serious breach I experienced. That was the year I met Special Agent Mike and added the FBI and some network specialists to my ResourceArmy. However, the number of attempts has increased over the years as well as the risks.
In 2023 I committed to learning everything I could about cybersecurity. I learned about attack vectors, vulnerabilities, mitigation, all the acronyms, and most importantly, how to manage risk. If you are a small business owner or business professional, I have some good news for you. Focusing on these three things can reduce a major amount of your cybersecurity risk.
Reduce Cyber Crime with a Focus on Three Critical Risks
More good news. The items I’m about to share don’t cost a lot of money, require technical expertise, or a bunch of your time. The best news is putting them in play can reduce your risk of becoming a victim of cyber crime by up to 90%.
Compromising your login credentials - is the biggest risk, according to Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist. It’s called phishing and it’s the 1# attack vector. It happens when you receive a bogus email that contains a message compelling you to share your username and password with an unauthorized person or organization. The message may arrive in a video, text, voicemail, or even a QR code.
This is your first opportunity to stop cyber crime cold. The advent of AI, has provided hackers with the tools to deliver realistic, convincing messages, so don’t be fooled:
- Even if you were born at night, I’m sure it wasn’t last night. Slow down, don’t click any links or take the requested action until you are sure it’s a legitimate communication.
- Unfortunately eventually you are going to “click before you think”. Take a deep breath and tell your IT support.
- Reduce your risk by strengthening your login policy and procedure.
- Use a password vault like 1Password that allows you to create strong passwords and helps you automatically login without needing to keep all your passwords in your head or on post-it notes.
- Add MFA (Multi-Factor Authentication) to your access process that requires an additional piece of information before granting access. Resource links below.
Failure to Patch Software - This is Roger’s #2 Attack Vector. There was a time when most vendors distributed software patches once a month. That’s no longer good enough. Last week I learned of an incident where once a patch was released, the IT department applied the patch two weeks later, but the hackers exploited the unpatched software at the end of the first week. Don’t be late:
- Start by identifying all software which may require patching. Where is it, how are patches distributed, how are they applied, who is responsible?
- Whenever possible, choose the “Auto-Update” option for all your software updates.
- If you can’t choose “Auto-Update”, set a calendar reminder to check for updates weekly (instead of weakly). Don’t let the hackers get ahead of you.
Eliminating software to reduce risk - Our #3 comes from my playbook. Like the number of locks in the photo above, right now there is an abundance of software lurking on your phone, your hard drive or in the cloud that puts you or your organization at risk of cyber crime. You have probably forgotten all about it. You stopped patching it, the password hasn’t been changed, but it’s still there. It’s time to let it go:
- Take inventory and clean house. Use the link below to download my Tools Inventory resource. It’s great for finding software and accounts you no longer use.
- Start with your mobile devices. Before you delete the Apps, confirm you’ve closed the accompanying online account.
- Next inventory your computer Apps. Don’t forget to decide what you will do with your data files, especially if it contains customer information.
- Finish with your online accounts. Use the items in your password vault as a checklist.
That’s it! Start with any of these items. Even if you only have time to tackle one or two items you will reduce your risk of experiencing cyber crime.
While cybersecurity is a complex challenge, you don’t need to face it alone. If you have concerns about your digital security, contact me, I’m open to a conversation.
Some final points:
- Pause before clicking links or taking action on external messages.
- Patch all your software weekly.
- Kick your old software to the curb!
“Cybersecurity is everyone’s business.”
- Jerry Gitchel, RHB, MSH
Resources:
- Data-Driven Computer Defense by Roger A. Grimes - although written for cybersecurity professions, it is an jargon-free explanation of why # 1 and 2 above are so important.
- KnowBe4 on-demand webinar- Password Masterclass.
- Invest 20 minutes in a taking a inventory of your digital tools
- How Multi Factor Authentication reduces your risk of phishing attacks